protos.com
In just over 15 hours, three unlucky crypto users lost a total of $876,000 worth of assets to common on-chain scams.
A combination of techniques, specifically ‘approval phishing’ and ‘address poisoning,’ were used in the scams, which were spotted by X (formerly Twitter) account Scam Sniffer.
The first, and largest, of the thefts was caused by a user signing a malicious ‘permit’ transaction, allowing the scammer to steal 211 Lido-staked ether (stETH) worth $654,000.
Read more: Compound Finance and Celer Network websites compromised in ‘front-end’ attacks
Phishing with drainers
According to Scam Sniffer, the address to which the victim had inadvertently granted approval to move their stETH was “a malicious contract disguised as a Token.” These dangerous permit or approval transactions are often presented to users by scam-as-as-service malware packages called wallet ‘drainers.’
The drainers are often disseminated via hacked X (formerly Twitter) accounts, which can be used to post FOMO-stoking airdrop or token launch announcements, before linking the victim to a wallet drainer script.
Prolific blockchain detective ZachXBT described the typical workings of such groups, who take control of accounts via SIM-swapping, in a post on X last year.
Another method is via so-called ‘front-end’ attacks, in which the genuine domains of crypto platforms are hijacked to craft malicious transactions and serve drainers to potential victims’ wallets.
Drainer packages themselves are developed as a product or service to be used by the phishing scammers. A cut of each theft is automatically split between the drainer developers and the scammers that use them.
This model has proven to be extremely profitable. In May, when a prolific drainer service known as Pink Drainer announced its retirement after facilitating $75 million worth of thefts, crypto security firm SlowMist identified over $20 million held in related addresses.
Inferno Drainer, which shut down a year ago, has been cashing out its ill-gotten gains recently, sending a total of 4,010 ETH (currently worth $12.4 million) to sanctioned crypto mixer Tornado Cash. Previous attempts to use alternative privacy tool Railgun were blocked by the team.
Read more: Pink Drainer ‘steps back from the grind’ after stealing $75M from victims
Address poisoning scam
The other two victims lost similar amounts (111,500 and 111,726) of the USDT stablecoin to ‘address poisoning,’ a type of scam which, while much simpler, proves equally dangerous.
Address poisoning relies on victims accidentally copy/pasting a scammer’s address from a ‘contaminated’ transaction history on a blockchain explorer such as Etherscan.
Read more: Refund of $70M ‘address poisoning’ scam ongoing, over 50% returned
Often, following sizable transfers, fake versions of common tokens will suddenly appear in a potential victim’s address, or appear as ‘spoofed’ transfers to accounts with similar leading and trailing characters to the genuine address (as can be seen in Scam Sniffer’s screenshot above).
Despite efforts to hide these misleading transactions by the explorer’s developers, losses are still common. For higher-value victims, scammers even opt to send genuine tokens as a workaround, putting real money on the line whilst hoping to hook a big win.
Staying off the hook
As always, double-check the URL or X account handles before clicking any links or connecting a crypto wallet. However, this may not be enough in the case that the genuine website or account has been compromised.
Learn how approvals and permits work. It is important to maintain strict ‘approval hygiene,’ revoking any active approvals and avoiding setting or accepting ‘infinite’ approvals when prompted.
Additionally, the use of built-in wallet address books can flag any unexpected addresses involved in a transaction which may be harder to spot by eye. These addresses can then be re-used instead of copying from a (potentially contaminated) transfer history.
Don’t rush, and don’t sign anything you don’t understand
Despite these well-known security measures, plenty of accidents still occur. Be it down to distraction, FOMO, rushing, or tiredness, it’s not difficult to imagine how even experienced crypto users fall for these scams on a regular basis.
Scam Sniffer’s most recent monthly round-up identified “approximately 12K victims [who] lost $20.2 million to crypto phishing scams” in October, with four cases of over $1 million. Despite an overall total 56% lower than the previous month, the number of victims grew by 20%.